220 likes | 394 Views
Outsourcing Security Analysis with Anonymized Logs. Jianqing Zhang, Nikita Borisov, William Yurcik 2 nd International Workshop on the Value of Security through Collaboration Friday, September 1, 2006. Motivation. Managed Security Service Providers: Security outsourcing is a trend
E N D
Outsourcing Security Analysis with Anonymized Logs Jianqing Zhang, Nikita Borisov, William Yurcik 2ndInternational Workshop on the Value of Security through Collaboration Friday, September 1, 2006
Motivation • Managed Security Service Providers: Security outsourcing is a trend • Security monitoring is getting more complicated and sophisticated • Economical: assemble skilled security professionals • Effective: shared security infrastructure across organizational boundaries • Challenges • Sensitive data is shared • Data protected by privacy laws • Valuable information to competitors • Useful information to adversaries Outsourcing Security Analysis with Anonymized Logs
Managed Security Service Provider Outsourcing Security Analysis with Anonymized Logs
Problem Statement • What are the criteria for log anonymization that sufficiently protect privacy and guarantee MSSP’s efficiency? Outsourcing Security Analysis with Anonymized Logs
Contributions • Case studies of common attack types based on classic logs • Derive a common set of anonymization criteria • Retain time interval dependence between records • Pseudonymize the external IP addresses re-identifiably • Pseudonymize the internal IP addresses re-identifiably and preserve some network topology information • First step for privacy-preserving MSSPs Outsourcing Security Analysis with Anonymized Logs
NetFlows and Syslogs • NetFlows: network-based log • Timestamps • IP address pairs (source/destination) • Port pairs (source/destination) • … • Syslog: host-based log • Application level critical events Outsourcing Security Analysis with Anonymized Logs
Which Data is Sensitive? • Identity information • External (source) IP • Partner, common guest and adversary • Internal (destination) IP • Internal user • System privacy & security • Timestamp • When the transactions happen • Destination port number • Services and applications hosted on the system • Subnet number • Internal network structure • Records number • Overall resource usage Outsourcing Security Analysis with Anonymized Logs
Log Anonymization Mechanisms • Timestamp anonymization • Time unit annihilation • Random time shifts • Enumeration • IP address anonymization • Truncation • Random permutation • Prefix-preserving pseudonymization • Port number anonymization • Bilateral Classification • Black Marker Anonymization • Random permutation Outsourcing Security Analysis with Anonymized Logs
Traffic Traces Logs: Port Scan • Scan all ports of a single host: • Source: same address, different port numbers • Destination: • Same addresses • Different ports (sequentially) • In a short time Outsourcing Security Analysis with Anonymized Logs
Traffic Traces Logs: DoS/DDoS • SYN Flood • Source: same addresses, same (or different) port numbers • Destination: • Same addresses • Same port (intended to a particular protocol or application) • Protocol / Packets/ Packet size • In a short time Outsourcing Security Analysis with Anonymized Logs
Anonymization Constraints on Traffic Traces Logs • Timestamp (Start Time) • Events interval and time dependence should be retained • Anonymization • Time unit annihilation • Random time shifts • Enumeration Outsourcing Security Analysis with Anonymized Logs
Anonymization Constraints on Traffic Traces Logs (cont.) • Source/Destination IP address • Anonymized and re-identifiable • Retain virtual network topology (dest.) • Anonymization • Truncation • Random permutation (pseudonyms) • Source (external) IP address • Prefix-preserving pseudonymization • Destination (internal) IP address Outsourcing Security Analysis with Anonymized Logs
Anonymization Constraints on Traffic Traces Logs (cont.) • Source/Destination port number • Contain sensitive information • More efficient if retained • Anonymization • Bilateral Classification • Black Marker Anonymization • Random permutation Outsourcing Security Analysis with Anonymized Logs
Syslog Syslog + Tcplog Time Stamp Host Name (IP) Source Port Dest. Port Message Active Operating System Fingerprinting Outsourcing Security Analysis with Anonymized Logs
Anonymization Constraints on Syslog Outsourcing Security Analysis with Anonymized Logs
Sensitive Data After Anonymization • Traffic volumes • Batched upload • Aggregate volumes • Dummy log records • Sacrifice the efficiency at MSSP • False positives and false negatives • Size of customer base; customer retention • Change the pseudonym mappings periodically • Structure of the internal network • Simple pseudonyms • Periodic rotation of pseudonyms • Policy dependent Outsourcing Security Analysis with Anonymized Logs
Conclusion • Sensitive data should be anonymized for security monitoring • Constraints on log anonymization • Sensitive data leakage after anonymization and countermeasures • Privacy and efficiency is a trade-off Outsourcing Security Analysis with Anonymized Logs
Future Work • Analyze other attacks • Anonymization strategies for wide range of attacks • Patterns of attack detection and general principles • Study other log formats and types • Analyze correlation of different logs across different organizations Outsourcing Security Analysis with Anonymized Logs
Q & A • Jianqing Zhang jzhang24@cs.uiuc.edu • Nikita Borisov nikita@uiuc.edu • William Yurcik byurcik@ncsa.uiuc.edu Outsourcing Security Analysis with Anonymized Logs
Anonymization Constraints on Traffic Traces Logs Outsourcing Security Analysis with Anonymized Logs
Port Scan (cont.) • Portmap scan: • Source: same address, different port numbers • Destination: various addresses, same port (portmap daemon) • In a short time Outsourcing Security Analysis with Anonymized Logs
DoS/DDoS (cont.) • Distributed SYN Flood • Source: different addresses, different port numbers • Destination: • Same addresses • Same ports (intended for a particular protocol) • Protocol / Packets/ Packet size • In a short time Outsourcing Security Analysis with Anonymized Logs